Please answer all parts (2-3 lines answer only) for Upvote. 1. a) Tshark is an o

Question

Please answer all parts (2-3 lines answer only) for Upvote.

1. a)

Tshark is an optional, more powerful, packet sniffing utility that may better format the packet sniffing information to conduct a network forensic investigation.

b) We will be studying and practicing tcpdump and capturing packets latter in the course. Let's introduce tcpdump to collect DNS evidence.

c) What is the relationship between "grey listing" and arpa lookups?  

'dns, flags, response.= 1' '?p.src' $ tshark -r dns.pcap-Y -T fields -e 'frame . time ' -e '¡p .ds t ' -e -e 'dns , resp , name ' -e ,dns.a, "Mar 7, 2016 00:00:37.630906197 UTC" 192.168.75.158 192.168.751 e4805.a.akamaiedge.net 23.13.179.120 "Mar 7, 2016 00:00:37.888927565 UTC" 192.168.75.32 192.168.75.1 c2.com 104.216.49.195 "Mar 7, 2016 03:29:29.310691120 UTC" 10.8.0.10 "Mar 7, 2016 03:30:16.198116184 UTC"192.168.75.7 192.168.75.1 video-iad3-1.xx.fbcdn.net 31.13.69.202 192.168.75.1 secure.sparklabs.com 66.185.22.121

Explanation / Answer

1.

It matches all possible the query answer packets.

To extract any fields, use –T. The –e option identifies the field to be extracted. (frame.time displays arrival time whose data type is date and time).

Extracts the destination IP address (IP= Internet protocol)

Extracts the source IP address (Its Data type is IPv4 address)

Extracts dns response name (Its data type is Character string)

-------------------(END OF ANSWER 1)-------------------

2. tcp -i enp0s8 –s 0 –G 86400 –w dns.pcap ‘port 53’

This command is used to capture packets.

To capture full size packets (set values 0,1. 0=false and 1=true)

rotate the dump file for seconds specified.

Capture and save the packets to dns.pcap (.pcap is file format)

Capture specific port (In this case, port 53 packets are captured)

-------------------(END OF ANSWER 2)-------------------

3. Grey listing is a method/technique by which a large amount of spam can be blocked.

Arpa lookups reverses mapping for internet address by converting IP address to Host machine address.

Relationship: The grey listing does a onward lookup on a domain to make certain that returned IP address matches with the IP address of the linking server.

-------------------(END OF ANSWER 3)-------------------

1 dns.flags.response==1

It matches all possible the query answer packets.

2 -T fields –e ‘frame.time’

To extract any fields, use –T. The –e option identifies the field to be extracted. (frame.time displays arrival time whose data type is date and time).

3 -e ‘ip.dst’

Extracts the destination IP address (IP= Internet protocol)

4 -e ‘ip.src’

Extracts the source IP address (Its Data type is IPv4 address)

5 -e ‘dns.resp.name’

Extracts dns response name (Its data type is Character string)

Related Questions

Navigate

• Browse (All)
• Browse P
• Subjects

---

---

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.